Date: Wed, 15 Jan 1997 17:18:10 +0100 From: Poul-Henning Kamp <phk@critter.dk.tfs.com> To: current@freebsd.org Subject: ipfw patches to test Message-ID: <27547.853345090@critter.dk.tfs.com>
next in thread | raw e-mail | index | archive | help
Well, I needed this badly, so I looked at it, if somebody wants to
try out this little patch, please report how it goes.
Basically you can now say
ipfw add deny !from 192.168.23.0/30 to 140.145.230.0/24
or "!to" for that matter. Give it a whirl...
Poul-Henning
Index: ipfw.c
===================================================================
RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v
retrieving revision 1.34
diff -u -r1.34 ipfw.c
--- ipfw.c 1996/10/17 01:05:03 1.34
+++ ipfw.c 1997/01/15 16:06:31
@@ -158,7 +158,7 @@
else
printf("%u", chain->fw_prot);
- printf(" from ");
+ printf(" %sfrom ", chain->fw_flg & IP_FW_F_INVSRC ? "!" : "");
adrt=ntohl(chain->fw_smsk.s_addr);
if (adrt==ULONG_MAX && do_resolv) {
@@ -198,7 +198,7 @@
}
}
- printf(" to ");
+ printf(" %sto ", chain->fw_flg & IP_FW_F_INVDST ? "!" : "");
adrt=ntohl(chain->fw_dmsk.s_addr);
if (adrt==ULONG_MAX && do_resolv) {
@@ -679,6 +679,7 @@
/* from */
if (ac && !strncmp(*av,"from",strlen(*av))) { av++; ac--; }
+ else if (ac && !strncmp(*av,"!from",strlen(*av))) { av++; ac--; rule.fw_flg |= IP_FW_F_INVSRC;}
else show_usage("missing ``from''\n");
fill_ip(&rule.fw_src, &rule.fw_smsk, &ac, &av);
@@ -691,6 +692,7 @@
/* to */
if (ac && !strncmp(*av,"to",strlen(*av))) { av++; ac--; }
+ else if (ac && !strncmp(*av,"!to",strlen(*av))) { av++; ac--; rule.fw_flg |= IP_FW_F_INVDST;}
else show_usage("missing ``to''\n");
if (!ac) show_usage("Missing arguments\n");
Index: ip_fw.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
retrieving revision 1.51
diff -u -r1.51 ip_fw.c
--- ip_fw.c 1996/10/12 19:49:36 1.51
+++ ip_fw.c 1997/01/15 15:58:18
@@ -290,6 +290,7 @@
struct ifaddr *ia = NULL, *ia_p;
struct in_addr src, dst, ia_i;
u_short src_port, dst_port, offset;
+ int i;
src = ip->ip_src;
dst = ip->ip_dst;
@@ -320,11 +321,17 @@
continue;
/* If src-addr doesn't match, not this rule. */
- if ((src.s_addr & f->fw_smsk.s_addr) != f->fw_src.s_addr)
+ i = (src.s_addr & f->fw_smsk.s_addr) != f->fw_src.s_addr;
+ if (i && !(f->fw_flg & IP_FW_F_INVSRC))
+ continue;
+ if (!i && (f->fw_flg & IP_FW_F_INVSRC))
continue;
/* If dest-addr doesn't match, not this rule. */
- if ((dst.s_addr & f->fw_dmsk.s_addr) != f->fw_dst.s_addr)
+ i = (dst.s_addr & f->fw_dmsk.s_addr) != f->fw_dst.s_addr;
+ if (i && !(f->fw_flg & IP_FW_F_INVDST))
+ continue;
+ if (!i && (f->fw_flg & IP_FW_F_INVDST))
continue;
/* If a i/f name was specified, and we don't know */
Index: ip_fw.h
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw.h,v
retrieving revision 1.23
diff -u -r1.23 ip_fw.h
--- ip_fw.h 1996/08/21 21:36:57 1.23
+++ ip_fw.h 1997/01/15 15:56:35
@@ -64,6 +64,8 @@
/*
* Values for "flags" field .
*/
+#define IP_FW_F_INVSRC 0x0001 /* Invert sense of src check */
+#define IP_FW_F_INVDST 0x0002 /* Invert sense of dst check */
#define IP_FW_F_IN 0x0004 /* Inbound */
#define IP_FW_F_OUT 0x0008 /* Outbound */
--
Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team.
http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox.
whois: [PHK] | phk@tfs.com TRW Financial Systems, Inc.
Future will arrive by its own means, progress not so.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?27547.853345090>